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The assignee is cisco Systems, Inc. ^ a California cor- 
poration having an office at 17 0 West Tasman Drive, San Jose, CA 
95134. 

Title of the Invention 

Network Flow Switching and Flow Data Export 

Background of the Invention 

1, Field of the Invention 

This invention relates to network switching and data 
export responsive to message flow patterns. 

2. Description of Related Art 

In computer networks, it commonly occurs that message 
traffic between a particular source and a particular destination 
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1 will continue for a time with unchanged routing or switching pa- 

2 rameters. For example^ when using the file-transfer protocol 

3 ^'FTP" there is substantial message traffic between the file's 

4 source location and the file' s destination location;, comprising 

5 the transfer of many packets which have similar headers^ differ- 

6 ing in the actual data which is transmitted. During the time 

7 when message traffic continues, routing and switching devices re- 

8 ceiving packets comprising that message traffic must examine 

9 those packets and determine the processing thereof. 

10 

One problem which has arisen in the art is that proc- 

iff essing demands on routing and switching devices continue to grow 

ii==^- with increased network demand. It continues to be advantageous 

ifrO to provide techniques for processing packets more quickly. This 

ifS problem has been exacerbated by addition of more complex forms of 

iL processing, such as the use of access control lists. 
iW 

ip^ It would therefore be advantageous to provide tech- 

ilf niques in which the amount of processing required for any indi- 

20 vidua 1 packet could be reduced. With inventive techniques de- 

21 scribed herein, information about message flow patterns is used 

22 to identify packets for which processing has already been deter- 

23 mined, and therefore to process those packets without having to 

24 re-determine the same processing. The amount of processing re- 

25 quired for any individual packet is therefore reduced. 

26 

27 Information about message flow patterns would also be 

28 valuable for providing information about use of the network, and 

29 
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1 ^ 4 

1 could be used for a variety of purposes by network administra- 

2 tors, routing devices, service providers, and users. 

3 

4 Accordingly, it would be advantageous to provide a 

5 technique for network switching and data export responsive to 

6 message flow patterns. 

7 

^ Summary of the Invention 

9 

10 The invention provides a method and system for switch- 

11 ing in networks responsive to message flow patterns. A message 

12 gf2,ow'' is defined to comprise a set of packets to be transmitted 

13 fe-etween a particular source and a particular destination. When 
1^ Eflouters in a network identify a new message flow, they determine 
1^ She proper processing for packets in that message flow and cache 
16 Ithat information for that message flow. Thereafter, when routers 
1"^ ^n a network identify a packet which is part of that message 
18 liiow, they process that packet according to the proper processing 

Sor packets in that message flow. The proper processing may in- 

20 elude a determination of a destination port for routing those 

21 packets and a determination of whether access control permits 

22 routing those packets to their indicated destination. 

23 

24 In another aspect of the invention, information about 

25 message flow patterns is collected, responsive to identified mes- 
2^ sage flows and their packets. The collected information is re- 

27 ported to devices on the network. The collected information is 

28 used for a variety of purposes, including: to diagnose actual or 

29 
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potential network problems^ to determine patterns of usage by 

^ date and time or by location, to determine which services and 

3 which users use a relatively larger or smaller amount of network 

4 resources^ to determine which services are accessed by particular 

5 users, to determine which users access particular services, or to 

6 determine usage which falls within selected parameters (such as: 

7 access during particular dates or times, access to prohibited 

8 services, excessive access to particular services, excessive use 

9 of network resources, or lack of proper access) , 

10 

Brief Description of the Drawings 

12 ^ 

13 Figure 1 shows a network in which routing responsive to 

1^ message flow patterns is performed. 

15 Iff 

1^ □ Figure 2 shows a method for routing in networks respon- 

Sive to message flow patterns. 

18 H 

Figure 3 shows data structures for use with a method 
2^ for routing in networks responsive to message flow patterns. 

21 

^2 Figure 4 shows an IP address cache for use with a 

method for routing in networks responsive to message flow pat- 
2^ terns. 

25 

26 Figure 5 shows a method for collecting and reporting 

^"^ information about message flow patterns. 

28 
29 
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Description of the Preferred Embodiment 



In the following description, a preferred embodiment of 
the invention is described with regard to preferred process steps 
and data structures. However, those skilled in the art would 
recognize, after perusal of this application, that embodiments of 
the invention may be implemented using a set of general purpose 
computers operating under program control, and that modification 
of a set of general purpose computers to implement the process 
steps and data structures described herein would not require un- 
due invention . 

Message Flows 

'Jj Figure 1 shows a network in which routing responsive to 

'message flow patterns is performed. 

A network 100 includes at least one communication link 
:3L10, at least one source device 120, at least one destination de- 
vice 130, and at least one routing device 140. The routing de- 
vice 140 is disposed for receiving a set of packets 150 from the 
source device 120 and routing them to the destination device 130. 

The communication link 110 may comprise any form of 
physical media layer, such as ethernet, FDDl, or HDLC serial 
link . 

The routing device 140 comprises a routing processor 
for performing the process steps described herein, and may in- 



1 



elude specific hardware constructed or programmed performing the 

2 process steps described herein, a general purpose processor oper- 

3 ating under program control, or some combination thereof. 



A message flow 160 consists of a unidirectional stream 
of packets 150 to be transmitted between particular pairs of 
transport service access points (thus, network-layer addresses 

8 and port numbers) . In a broad sense, a message flow 160 thus re- 

9 fers to a communication '^circuit'' between communication end- 

10 points. In a preferred embodiment, a message flow 160 is defined 

11 by a network-layer address for a particular source device 120, a 

12 'Iffi^articular port number at the source device 120, a network-layer 

13 r^ddress for a particular destination device 130, a particular 

14 Import number at the destination device 130, and a particular 

15 ^Jbransmission protocol type. For example, the transmission proto- 
15 E col type may identify a known transmission protocol, such as UDP, 
17 i^IlrCP, ICMP, or IGMP (internet group management protocol) . 

Q In a preferred embodiment for use with a network of 

20 networks (an "'internet'') , the particular source device 120 is 

21 identified by its IP (internet protocol) address. The particular 

22 port number at the source device 120 is identified by either a 

23 port number which is specific to a particular process, or by a 

24 standard port number for the particular transmission protocol 

25 type. For example, a standard port number for the TCP protocol 

26 type is 6 and a standard port number for the UDP protocol type is 

27 17. Other protocols which may have standard port numbers include 

28 the FTP protocol, the TELNET protocol, an internet telephone pro- 

29 tocol, or an internet video protocol such as the '"CUSeeMe" proto- 
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1 col; these protocols are known in the art of networking. Simi- 

2 larly, the particular destination device 130 is identified by its 

3 IP (internet protocol) address; the particular port number at the 

4 destination device 130 is identified by either a port number 

5 which is specific to a particular process, or a standard port 

6 number for the particular transmission protocol type. 
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It will be clear to those skilled in the art, after pe- 

9 rusing this application, that the concept of a message flow is 
quite broad, and encompasses a wide variety of possible alterna- 

11 tives within the scope and spirit of the invention. For example, 

12 3n alternative embodiments, a message flow may be bi-directional 

13 Hnstead of unidirectional, a message flow may be identified at a 

14 [|ifferent protocol layer level than that of transport service ac- 

15 Wess points, or a message flow may be identified responsive to 

16 Mother factors. These other factors may include one or more of 

17 ^%hB following: information in packet headers, packet length, time 

18 ?%f packet transmission, or routing conditions on the network 

19 £3(such as relative network congestion or administrative policies 

20 with regard to routing and transmission) . 



Network Flow Switching 



21 

22 
23 

24 Figure 2 shows a method for routing in networks respon- 

ds sive to message flow patterns. 

26 

27 In broad overview, the method for routing in networks 

28 responsive to message flow patterns comprises two parts. In a 

29 
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first part, the routing device 140 builds and uses a flow cache 
(described in further detail with regard to figure 3) , in which 
routing information to be used for packets 150 in each particular 
message flow 160 is recorded and from which such routing informa- 
tion is retrieved for use. In a second part, the routing device 
140 maintains the flow cache, such as by removing entries for 
message flows 160 which are no longer considered valid. 

A method 200 for routing in networks responsive to mes- 
sage flow patterns is performed by the routing device 140, 

At a flow point 210, the routing device 140 is disposed 
for building and using the flow cache. 

At a step 221, the routing device 140 receives a packet 

150. 

At a step 222, the routing device 140 identifies a mes- 
sage flow 160 for the packet 150. In a preferred embodiment, the 
routing device 140 examines a header for the packet 150 and iden- 
tifies the IP address for the source device 120, the IP address 
for the destination device 130, and the protocol type for the 
packet 150. The routing device 140 determines the port number 
for the source device 120 and the port number for the destination 
device 130 responsive to the protocol type. Responsive to this 
set of information, the routing device 140 determines a flow key 
310 (described with reference to figure 3) for the message flow 
160. 



At a step 223, the routing device 140 performs a lookup 
n a flow cache for the identified message flow 160. If the 
ookup is unsuccessful, the identified message flow 160 is a 
'new" message flow 160, and the routing device 140 continues with 
:he step 224. If the lookup is successful, the identified mes- 
sage flow 160 is an ^'old" message flow 160, and the routing de- 
vice 140 continues with the step 225. 

In a preferred embodiment,, the routing device 140 de- 
termines a hash table key responsive to the flow key 310. This 
asp@;t of the step 223 is described in further detail with regard 
to ^gure 3. 

m j;^t a step 224, the routing device 140 builds a new en- 

try in the flow cache. The routing device 140 determines proper 
tr^tment of packets 150 in the message flow 160 and enters in- 
foljaation regarding such proper treatment in a data structure 
pofehted to by the new entry in the flow cache. In a preferred 
embodiment, the routing device 140 determines the proper treat- 

) ment by performing a lookup in an IP address cache as shown in 

1 figure 4 . 

2 

;3 In a preferred embodiment, the proper treatment of 

24 packets 150 in the message flow 160 includes treatment with re- 

25 gard to switching (thus, the routing device 140 determines an 

26 output port for switching packets 150 in the message flow 160) , 

27 with regard to access control (thus, the routing device 140 de— 

28 termines whether packets 150 in the message flow 160 meet the re — 

29 quirements of access control, as defined by access control list^ 
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in force at the routing device 140) , with regard to accounting 
(thus^ the routing device 140 creates an accounting record for 
the message flow 160), with regard to encryption (thus, the rout- 
ing device 140 determines encryption treatment for packets 150 in 
the message flow 160) , and any special treatment for packets 150 
in the message flow 160. 

In a preferred embodiment, the routing device 14 0 per- 
forms any special processing for new message flows 160 at this 
time. For example, in one preferred embodiment, the routing de- 
vi^^ 140 requires that the source device 120 or the destination 
de^MLce 130 must authenticate the message flow 160. In that case, 
tlrm routing device 14 0 transmits one or more packets 150 to the 
sq^jrce device 120 or the destination device 130 to request infor- 
mation (such as a user identifier and a password) to authenticate 
tft4 new message flow 160, and receives one or more packets 150 
cHiiprising the authentication information. This technique could 
houseful for implementing security '''firewalls'' and other authen- 
tication systems. 

Thereafter, the routing device 140 proceeds with the 
step 225, using the information from the new entry in the flow 
cache, just as if the identified message flow 160 were an ^^old" 
message flow 160 and the lookup in a flow cache had been success- 
ful. 

At a step 225, the routing device 140 retrieves routing 
information from the entry in the flow cache for the identified 
message flow 160. 
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In a preferred embodiment, the entry in the flow cache 
includes a pointer to a rewrite function for at least part of a 
header for the packet 150. If this pointer is non-null, the 
routing device 140 invokes the rewrite function to alter the 
header for the packet 150. 

At a step 226, the routing device 140 routes the packet 
150 responsive to the routing information retrieved at the step 
225. 

5 Thus, in a preferred embodiment, the routing device 14 0 

3oes not separately determine, for each packet 150 in the message 
ijlow 160, the information stored in the entry in the flow cache, 
i^ather, when routing a packet 150 in the message flow 160, the 
-routing device 140 reads the information from the entry in the 
TClow cache and treats the packet 150 according to the information 
^n the entry in the flow cache. 

Thus, in a preferred embodiment, the routing device 140 
routes the packet 150 to an output port, determines whether ac- 
cess is allowed for the packet 150, determines encryption treat- 
ment for the packet 150, and performs any special treatment for 
the packet 150, all responsive to information in the entry in the 
flow cache. 

In a preferred embodiment, the routing device 14 0 also 
enters accounting information in the entry in the^ flow cache for 
the packet 150. When routing each packet 150 in the message flow 

11 



1 160, the routing device 140 records the cumulative number of 

2 packets 150 and the cumulative number of bytes for the message 

3 flow 160. 

4 

5 Because the routing device 140 processes each packet 

6 150 in the message flow 160 responsive to the entry for the mes- 

7 sage flow 160 in the flow cache, the routing device 14 0 is able 

8 to implement administrative policies which are designated for 

9 each message flow 160 rather than for each packet 150, For exam- 

10 pie, the routing device 140 is able to reserve specific amounts 

11 of bandwidth for particular message flows 160 and to queue pack- 

12 iits 150 for transmission responsive to the bandwidth reserved for 

13 rjheir particular message flows 160. 

14 

iy Because the routing device 140 is able to associate 

16 n each packet 150 with a particular message flow 160 and to associ- 

17 rr^te each message flow 160 with particular network-layer source 

18 ^%nd destination addresses, the routing device 140 is able to as- 

19 tiociate network usage with particular workstations (and therefore 

20 with particular users) or with particular services available on 

21 the network. This can be used for accounting purposes, for en- 

22 forcing administrative policies, or for providing usage informa- 

23 tion to interested parties. 

24 

25 For a first example, the routing device 140 is able to 

26 monitor and provide usage information regarding access using the 

27 HTTP protocol to world wide web pages at particular sites. 

28 
29 
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For a second example, the routing device 140 is able to 
monitor usage information regarding relative use of network re- 
sources, and to give priority to those message flows 160 which 
use relatively fewer network resources. This can occur when a 
first message flow 160 is using a relatively low-bandwidth trans- 
mission channel (such as a 28.8 kilobits per second modem trans- 
mission channel) and when a second message flow 160 is using a 
relatively high-bandwidth transmission channel (such as a T-1 
transmission line) . 

At a flow point 230, the routing device 140 is disposed 
'Mor maintaining the flow cache. 

'U At a step 241, the routing device 140 examines each en- 

L=iry in the flow cache and compares a current time with a last 
^time a packet 150 was routed using that particular entry. If the 
"Tiifference exceeds a first selected timeout, the message flow 160 
yrepresented by that entry is considered to have expired due to 
IJionuse and thus to no longer be valid. 

In a preferred embodiment, the routing device 14 0 also 
examines the entry in the flow cache and compares a current time 
with a first time a packet 150 was routed using that particular 
entry. If the difference exceeds a second selected timeout, the 
message flow 160 represented by that entry is considered to have 
expired due to age and thus to no longer be valid. The second 
selected timeout is preferably about one minute. 



1 Expiring message flows 160 due to age artificially re- 

2 quires that a new message flow 160 must be created for the next 

3 packet 150 in the same communication session represented by the 

4 old message flow 160 which was expired. However, it is consid- 

5 ered preferable to do so because it allows information to be col- 

6 lected and reported about message flows 160 without having to 

7 wait for those message flows 160 to expire from nonuse. For ex- 

8 ample, a multiple-broadcast communication session could reasona- 

9 bly last well beyond the time message flows 160 are expired for 

10 age, and if not so expired would mean that information about net- 

11 work usage would not account for significant network usage. 

12 

13 In a preferred embodiment, the routing device 140 also 

14 L^xamines the entry in the flow cache and determines if the ''next 

15 ifiop" information has changed. If so, the message flow 160 is ex- 

16 spired due to changed conditions. Other changed conditions which 

17 I'Jiight cause a message flow 160 to be expired include changes in 

18 Success control lists or other changes which might affect the 

19 C5:)roper treatment of packets 150 in the message flow 160. The 

20 routing device 140 also expires entries in the flow cache on a 

21 least-recently-used basis if the flow cache becomes too full. 

22 

23 If the message flow 160 is still valid, the routing de- 

24 vice 140 continues with the next entry in the flow cache until 

25 all entries have been examined. If the message flow 160 is no 

26 longer valid, the routing device 140 continues with the step 242. 

27 
28 
29 
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1 At a step 242, the routing device 140 collects histori- 

2 cal information about the message flow 160 from the entry in the 

3 flow cache, and deletes the entry. 

4 

^ Flow Cache 

6 

Figure 3 shows data structures for use with a method 
^ for routing in networks responsive to message flow patterns. 

9 

10 A flow cache 300 comprises a memory which associates 

flow keys 310 with information about message flows 160 identified 

^2 those flow keys 310- The flow cache 300 includes a set of 

^2 Suckets 301. Each bucket 301 includes a linked list of entries 
LJ|02. Each entry 302 includes information about a particular mes- 
!=^age flow 160, including routing, access control, accounting, 
-special treatment for packets 150 in that particular message flow 
^3-60, and a pointer to information about treatment of packets 150 

1^ J^o the destination device 130 for that message flow 160. 

19 C3 

20 ' In a preferred embodiment, the flow cache 300 includes 

21 a relatively large number of buckets 301 (preferably about 16,384 

22 buckets 301) , so as to minimize the number of entries 302 per 

23 bucket 301 and thus so as to minimize the number of memory ac- 

24 cesses per entry 302. Each bucket 301 comprises a four-byte 

25 pointer to a linked list of entries 302. The linked list pref- 
2^ erably includes only about one or two entries 302 at the most. 

27 
28 
29 
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In a preferred embodiment, each entry 302 includes a 
set of routing information;, a set of access control information, 
a set of special treatment information, and a set of accounting 
information, for packets 150 in the message flow 160. 

The routing information comprises the output port for 
routing packets 150 in the message flow 160. 

The access control information comprises whether access 
is permitted for packets 150 in the message flow 160. 

p The accounting information comprises a time stamp for 

Lthe first packet 150 in the message flow 160, a time stamp for 
ilhe most recent packet 150 in the message flow 160, a cumulative 
i^ount for the number of packets 150 in the message flow 160, and 
= a cumulative count for the number of bytes 150 in the message 
^Jlow 160. 

IP Address Cache 

Figure 4 shows an IP address cache for use with a 
method for routing in networks responsive to message flow pat- 
terns . 

An IP address cache 400 comprises a tree having a root 
node 410, a plurality of inferior nodes 410, and a plurality of 
leaf data structures 420. 



1 Each node 410 comprises a node/leaf indicator 411 and 

2 an array 412 of pointers 413. 

3 

4 The node/leaf indicator 411 indicates whether the node 

5 410 is a node 410 or a leaf data structure 420; for nodes 410 it 

6 is set to a ^^node" value^ while for leaf data structures 420 it 

7 is set to a ^^leaf" value. 

8 

9 The array 412 has room for exactly 256 pointers 413; 

10 thuS;. the IP address cache 400 comprises an M-trie with a branch- 

11 ing width of 256 at each level. M-tries are known in the art of 

12 ,5^^^ structures. IP addresses comprise four bytes, each having 

13 L^ight bits and therefore 256 possible values. ThuS;. each possi- 

14 l^le IP address can be stored in the IP address cache 400 using at 

15 lyaost four pointers 413. 

16 H 

17 The inventors have discovered that IP addresses in ac- 

18 l^ual use are unexpectedly clustered, so that the size of the IP 

19 Chddress cache 400 is substantially less, by a factor of about 

20 ' five to a factor of about ten, than would be expected for a set 

21 of randomly generated four-byte IP addresses. 

22 

23 Each pointer 413 represents a subtree of the IP address 

24 cache 400 for its particular location in the array 412. Thus, 

25 for the root node 410 , the pointer 413 at location 3 represents 

26 IP addresses having the form 3 .xxx.xxx.xxx, where ^'xxx" repre- 

27 sents any possible value from zero to 255. Similarly, in a sub- 

28 tree for IP addresses having the form 3 . xxx. xxx . xxx, the pointer 

29 413 at location 141 represents IP addresses having the form 
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1 3 - 141 . XXX . XXX . Similarly, in a subtree for IP addresses having 

2 the form 3 . 14 1 , xxx . xxx, the pointer 413 at location 59 represents 

3 IP addresses having the form 3 . 141 . 59 . xxx . Similarly^, in a sub- 

4 tree for IP addresses having the form 3 . 141 . 59 . xxx, the pointer 

5 413 at location 26 represents the IP address 3.141,59.26. 

6 

7 Each pointer 413 is either null, to indicate that there 

8 are no IP addresses for the indicated subtree, or points to an 

9 inferior node 410 or leaf data structure 420 . A least signif i- 

10 cant bit of each pointer 413 is reserved to indicate the type of 

11 the pointed-to structure; that is, whether the pointed-to struc- 

12 rj^^^ is a node 410 or a leaf data structure 420. In a preferred 

13 r'prnbodiment where pointers 413 must identify an address which is 

14 [^ligned on a four-byte boundary, the two least significant bits 

15 bhf each pointer 413 are unused for addressing, and reserving the 

16 -least significant bit for this purpose does not reduce the scope 

17 ="r?5f the pointer 413, 

18 ]^ 

19 O Each leaf data structure comprises information about 

20 the IP address, stored in the IP address cache 400, In a pre- 

21 ferred embodiment this information includes the proper processing 

22 for packets 150 addressed to that IP address, such as a determi- 

23 nation of a destination port for routing those packets and a de- 

24 termination of whether access control permits routing those pack- 

25 ets to their indicated destination. 

26 
27 
28 
29 
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Flow Data Export 



Figure 5 shows a method for collecting and reporting 
information about message flow patterns. 

A method 500 for collecting and reporting information 
about message flow patterns is performed by the routing device 
140. 

At a flow point 510, the routing device 140 is disposed 
for obtaining information about a message flow 160. For example, 
fin a preferred embodiment, as noted herein, the routing device 
3140 obtains historical information about a message flow 160 in 
jthe step 242. In alternative embodiments, the routing device 140 
"Imay obtain information about message flows 160, either in addi- 
ction or instead, by occasional review of entries in the flow 
3cache, or by directly monitoring packets 150 in message flows 
|160. 

^ It will be clear to those skilled in the art, after pe- 

rusing this application, that the concept of reporting informa- 
tion about message flows is quite broad, and encompasses a wide 
variety of possible alternatives within the scope and spirit of 
the invention. For example, in alternative embodiments, informa- 
tion about message flows may include bi-directional traffic in- 
formation instead of unidirectional traffic information, informa- 
tion about message flows may include information at a different 
protocol layer level other than that of transport service access 
points and other than that at which the message flow is itself 



1 defined, or information about message flows may include actual 

2 data transmitted as part of the message flow itself. These ac- 

3 tual data may include one or more of the following; information 

4 in packet headers, information about files of file names trans- 

5 mitted during the message flow, or usage conditions of the mes- 

6 sage flow (such as whether the message flow involves steady or 

7 bursty transmission of data, or is relatively interactive or 

8 relatively unidirectional) . 

9 

10 At a step 521, the routing device 140 obtains histori- 

11 cal information about a particular message flow 160, and records 

12 ^'.Ahat information in a flow data table. 

14 ^ At a step 522, the routing device 140 determines a size 

15 Lidbf the flow data table, and compares that size with a selected 

16 ^'size value. If the flow data table exceeds the selected size 

17 ;"1s;'alue, the routing device 140 continues with the step 523 to re- 

18 riport flow data- If the flow data table does not exceed the se- 

19 rJLected size value, the routing device 140 returns to the step 521 

20 ' to obtain historical information about a next particular message 

21 flow 160. 

22 

23 At a step 523, the routing device 140 builds an infor- 

24 mation packet, responsive to the information about message flows 

25 160 which is recorded in the flow data table. 

26 

27 At a step 524, the routing device 140 transmits the in- 

28 formation packet to a selected destination device 130 on the net- 

29 work 100, In a preferred embodiment, the selected destination 
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1 device 130 is determined by an operating parameter of the routing 

2 device 140, This operating parameter is set when the routing de- 

3 vice 140 is initially configured, and may be altered by an opera- 

4 tor of the routing device 140. 

5 

6 In a preferred embodiment, the selected destination de- 

7 vice 130 receives the information packet and builds (or updates) 

8 a database in the format for the RMON protocol. The RMON proto- 

9 col is known in the art of network monitoring. 

10 

11 At a flow point 530, a reporting device 540 on the net- 

12 ^S^ork 100 is disposed for reporting using information about mes- 

13 f^^sage flows 160. 

15 m At a step 531, the reporting device 540 queries the se- 

16 ^ "lected destination device 130 for information about message flows 
i7!"1;160. In a preferred embodiment, the reporting device 540 uses 

18 blithe RMON protocol to query the selected destination device 130 

19 Qand to obtain information about message flows 160. 

20 

21 At a step 532, the reporting device 540 builds a report 

22 about a condition of the network 100, responsive to information 

23 about message flows 160. 

24 

25 At a step 533, the reporting device 540 displays or 

26 transmits that report about the condition of the network 100 to 

27 interested parties . 

28 
29 
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1 In preferred embodiments, the report may comprise one 

2 or more of a wide variety of information, and interested parties 

3 may use that information for one or more of a wide variety of 

4 purposes- Some possible purposes are noted herein: 

5 

6 Interested parties may diagnose actual or potential 

7 network problems. For example, the report may comprise informa- 

8 tion about packets 150 in particular message flows 160, including 

9 a time stamp for a first packet 150 and a time stamp for a last 

10 packet 150 in the message flow 160, a cumulative total number of 

11 bytes in the message flow 160, a cumulative total number of pack- 

12 ^^ets 150 in the message flow 160, or other information relevant to 

13 j^^^diagnosing actual or potential network problems. 

14 fy 

15 Interested parties may determine patterns of usage of 

16 ^'^he network by date and time or by location. For example, the 

17 J^^-freport may comprise information about which users or which serv- 

18 fyices on the network are making relatively heavy use of resources. 

19 O-'"^ ^ preferred embodiment, usage of the network 100 is displayed 

20 '""in a graphical form which shows use of the network 100 in a 

21 false-color map, so that network administrators and other inter- 

22 ested parties may rapidly determine which services, which users, 

23 and which communication links are relatively loaded or relatively 

24 unloaded with demand. 

25 

26 Interested parties may determine which services are ac- 

27 cessed by particular users, or which users access particular 

28 services. For example, the report may comprise information about 

29 which services are accessed by particular users at a particular 
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1 device on the network 100, or which users access a particular 

2 service at a particular device on the network 100. This informa- 

3 tion may be used to market or otherwise enhance these services. 

4 In a preferred embodiment, users who access a particular world 

5 wide web page using the HTTP protocol are recorded, and informa- 

6 tion is sent to those users about changes to that web page and 

7 about further services available from the producers of that web 

8 page. Providers of the particular web page may also collect in- 

9 formation about access to their web page in response to date and 
10 time of access, and location of accessing user. 

11 

12 Information about patterns of usage of the network, or 

13 Efebout which services are accessed by particular users, or which 

14 fyusers access particular services, may be used to implement ac- 

15 ycounting or billing for resources, or to set limits for resource 

16 "''usage, such as by particular users, by particular service provid- 

17 J^;;ters, or by particular protocol types (and therefore by particular 

18 fytypes of services) . 

19 o 

20 Interested parties may determine usage which falls 

21 within (or without) selected parameters. These selected parame- 

22 ters may involve access during particular dates or times, such as 

23 for example access to particular services during or outside nor- 

24 mal working hours. For example, it may be desirable to record 

25 those accesses to a company database which occur outside normal 

26 working hours. 

27 

28 These selected parameters may involve access to prohib- 

29 ited services, excessive access to particular services, or exces- 
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sive use of network resources, such as for example access to par- 
ticular servers using the HTTP protocol or the FTP protocol which 
fall within (or without) a particular administrative policy. For 
example, it may be desirable to record accesses to repositories 
of games or other recreational material, particularly those ac- 
cesses which occur within normal working hours. 

These selected parameters may involve or lack of proper 
access, such as for example access control list failures or unau- 
thorized attempts to access secure services. For example, it may 
be desirable to record unauthorized attempts to access secure 
^services, particularly those attempts which form a pattern which 
"^might indicate a concerted attempt to gain unauthorized access. 

In alternative embodiments, the routing device 14 0 
could save the actual packets 150 for the message flow 160, or 
some part thereof, for later examination. For example, a TELNET 
session (a message flow 160 comprising use of the TELNET protocol 
by a user and a host) could be recorded in its entirety, or some 
portion thereof, for later examination, e.g., to diagnose prob- 
lems noted with the network or with the particular host. 

In further alternative embodiments, the routing device 
140 could save the actual packets 150 for selected message flows 
160 which meet certain selected parameters, such as repeated un- 
authorized attempts to gain access. 



In embodiments where actual packets 150 of the message 
ow 160 are saved, it would be desirable to perform a name 



translation (such as a reverse DNS lookup), because the IP ad- 
dresses for the source device 120 and the destination device 130 
are transitory. Thus, it would be preferable to determine the 
symbolic names for the source device 120 and the destination de- 
vice 130 from the IP addresses, so that the recorded data would 
have greater meaning at a later time. 

Alternative Embodiments 

Although preferred embodiments are disclosed herein, 
many variations are possible which remain within the concept, 
scope, and spirit of the invention, and these variations would 
become clear to those skilled in the art after perusal of this 
application. 



